DataRet0512En

Data retention: legislative sausage machine in overdrive

The FFII has a lot of experience with the European decision making process. It is from this angle that we approach the proposed Data Retention directive and the way it is being shoved through Parliament. Unfortunately, parallels with the software patents directive are easy to draw. It is even worse in this case, as the Commission and Council are pushing for a single reading deal after less than 3 months since the initial Commission proposal.

It is unfathomable how the European institutions, and the European Parliament in particular, are supposed to properly assess the impact of this directive in cooperation with various human and digital rights associations.

We mention a number of issues below which clearly demonstrate that this directive is by no means ready to be adopted.

Misrepresentation of study conclusions

"Wie wat bewaart heeft wat", or "He who retains something has something" in English. This is the title of a study by the Dutch Erasmus University on the usefulness of data retention for law enforcement purposes (the first, and even only as far as we know, European public research of its kind). As noted by EDRI, the Commission's assertion (page 4) that it confirms "the importance of traffic data for all sorts of investigations" was thoroughly blasted in the Dutch Parliament. Even the researchers who wrote it warn they can't qualify the usefulness of these data as direct or indirect evidence, or the representativeness of the sample of cases for law enforcement in general.

In case of the software patents directive, the Commission drew similarly unfounded conclusions from an "impact assessment" study which consisted of polling UK-based !SMEs about their need for software patents. The consensus among all 11 respondents was that they were not interested in software patents, and did not want them. From these 11 responses, the Commission concluded that European !SMEs need to be better informed about the advantages that software patents offer them.

National parliaments disagree

The Committee on Justice and Internal Affairs of the Dutch Senate is currently debating with Dutch Minister of Justice Donner regarding the Council framework proposal and the proposed Commission directive. In its letter of 1 november 2005 to the minister, it strongly criticised the various proposed measures, the lack of supporting evidence regarding necessity and the existence of various ways to circumvent the collection of data (making it largely useless in their eyes).

Additionally, it also strongly attacked the conclusions of the KPMG report which is cited by the Commission. Minister's Donner's reply on 28 November 2005 was clearly unconvincing, as the Committee once more refused to approve his proposal on 29 November 2005. It remains to be seen how the Dutch government will behave in the Council, given its infamous track record in the software patents case.

Responsible advisory EU body disagrees

The European Data Protection Supervisor notes in his opinion, among other things, that "The EDPS recognises the changes of circumstances, but is as yet not convinced of the necessity of the retention of traffic and location data for law enforcement purposes, as established in the proposal.". He cites a lack of studies showing the need for data retention and notes concerns regarding respect for the European Charter of Human Rights.

Similarly, the Economic and Social Committee heavily criticised the Commission proposal for the software patents directive due to lack of impact assessment studies and because of the absence of a demonstrable need for software patents.

No consensus

On page 10 of its "extended impact assessment", the Commission notes "Although public consultation and debate on this issue has been wide-spread, including discussions at the European Parliament, no common solutions have emerged from this."

The Commission's answer is apparently to write a text and try to push it through the entire legislative procedure in three months. Forcing a "consensus" this way by simply not allowing any time to form an opinion about said text, nor to consider the impact of the legislative proposal, is making a mockery out of the democratic process by which the EU is supposed to be governed.

The software patents directive was not based on one or other consensus either, but on the wishes of a few stakeholders with lots of influence.

European Parliament has serious concerns

The revised recital 18 of the EP's LIBE report (LIBE, the Committee on Civil Liberties, Justice and Home Affairs, is the responsible committee for this directive in the European Parliament) reads

it is unclear whether this Directive does not go beyond what is necessary and proportionate in order to achieve those objectives, as also pointed out by the European Data Protection Supervisor.

Recital 19 notes

| This Directive could better respect the fundamental rights and the principles recognised, in particular, by the Charter of Fundamental Rights of the European Union |

So we now have a Parliamentary committee proposing a directive which states about itself that it is quite possibly going beyond what is necessary and proportionate, and which also says that it could do better in terms of respecting the Charter of Fundamental Rights. At the very least this indicates that this directive is not ready for rubberstamping.

In case of the software patents directive, the attempt of the Commission and Council to push through a text which did not answer at all to the concerns raised by the EP is well known: the first ever rejection of a directive in the second reading by the EP.

Member state reservations

There is quite an impressive list of reservations by member states attached to the Council presidency's "compromise proposal". This is extremely reminiscent to the software patents directive, which was approved by the Council in first reading with reservations by Belgium, Cyprus, Denmark, France, Hungary, Latvia, the Netherlands and Poland.

Conclusion

Unfortunately, it seems the Council and Commission have not given up on their strategy on trying to push through Parliament whatever they like. They misrepresent independent studies. They encourage Parliament to disregard due diligence in the interest of some vague higher goal: the Lisbon agenda in the software patents case, fighting terrorism in case of data retention. Stakeholders don't get a proper chance to be heard, or are plainly ignored.

Before the Commission took over the initiative, the Council was already trying to get similar measures instated by means of a Council framework decision. When using this legislative tool, the Council is not required to ask the opinion of the European Data Protection Supervisor, but one can wonder why they did not do so. If ever there was a matter for the EDPS, this directive is it. But this is consistent with the Council's past behaviour of commitment to keeping the legislation sausage machine running smoothly. Their motto often seems to be 'Better Bad Legislation than No Legislation'.

What's even worse is that this is no isolated incident. We see similar time pressure being exerted in case of the IPRED2 directive, and a similar contempt for the opinions of various stakeholder representatives. And in both cases, terrorism is supposed to make Parliament swallow everything the Commission and Council throw at them.

More than ever, we need a Parliament which can say a clear "NO" to indiscriminate legislative spamming and pressure by the Commission and Council. We need good directives, and a good directive means a proper overview of the big picture (the relation between the various "terrorism"-inspired directives thrown at various subcommittees of the EP), proper impact assessment, time to consider concerns of civil society and industry, and especially time for Parliament to form its own opinion.